The scenario is about Business Secret and our clients do worry about data leakage. They want to know whether Suspect copied those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question. Of course if you copy data from local drive to external drive and then access those files in external drive, there will be some LNK files created.
But if you only copy files and folders from local drive to external drive in Windows, you could not find any "Copy artifacts" in log files or registry…So how do we know if Suspect copied files and folders to external drive or not? As I know that the only way to do this is to monitor and record files and folders manipulation, and you could take a look at logs to see what's going on.
Let me show you how to do it. You guys could take a look at my blog as below
http//
There is plenty of commercial solutions that monitor for data leakage, some are great, but most are not cheap to roll out enmasse.
The best thing that could happen would be for Microsoft to fix the sorry state their own file access monitoring logs that comes with Windows so they would be useful.
That's true. But the purpose of operating system is not for auditing files and folders activities… If I want to know whether suspects copied data from local drives to external drives or not, there won't be no so-called "Copy artifacts". Forensic guys will need other artifacts like LNK files or USB last plug log , etc in order to find the clue when it comes to business secret leakage case.
If I want to know whether suspects copied data from local drives to external drives or not, there won't be no so-called "Copy artifacts".
I really don't get it. (
Basically you are suggesting to install to all machines in an organization a third party file activity logger BEFORE any accident happens.
Then you could as well install a keylogger additionally making a screenshot every - say- 5 seconds when any activity is detected and take a picture from the camera on the PC (just to make sure to identify the user).
Or you could videotape 24/7 the actual workplace, besides searching all employees (and X-ray their belongings) both when they enter the building and when they leave it, and monitor/record all network traffic.
You won't answer the question you stated
The scenario is about Business Secret and our clients do worry about data leakage. They want to know whether Suspect copied those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question.
with this approach, at the most you will obtain when and if the suspect (or any other employee) will copy the files (again) you will have a log for the action.
jaclaz
That's what I want to point out. In traditional Forensic way, there is no so-called "Copy artifacts", so we may need a monitoring and recording mechanism to achieve this goal.
Some hitec companies/organizations deploy such mechanism, because they are really afraid business secret leakage. Without that kind of mechanism, it's not easy for forensic guys to find precise evidence that whether suspects copied data from local drives to external drives or not.
I won't expect Operating system to take care of such issue. It is not its main task. Maybe you guys could come up with a better solution, and I'd appreciate your providing me any info you have.
Some hitec companies/organizations deploy such mechanism, because they are really afraid business secret leakage.
No. (
They may deploy such a simple file copying logger as part of a whole MUCH MORE COMPLEX SET of measures to AVOID the copying, people that are really afraid about data leakage want to PREVENT the leakage, not to be able to know that it happened and who did it and when AFTER it happened.
All in all the whole thing belongs to security much more than forensics.
In organizations where this kind of things are looked upon people are not allowed to connect any device (if not - maybe - approved ones) to their PC's (PC's and the running OS are pretty much locked down), all outbound connections are besides logged, definitely restricted and/or real-time monitored, besides being forbidden to actually bring in or out of the building any memory device, telephone, camera, etc., or in some cases, even more intrusive checks, such as - as said - X-raying anything both in and out and or personal searches, full time video recording, etc.
You normally cannot impose this kind of restrictions on "normal businesses" (outside the military, LE or however "classified" research or similar) and in many countries you cannot even legally install monitoring software such as keyloggers or similar (though a file copying logger like the ones you mentioned may be ok) or continuous video recording of employees.
Without that kind of mechanism, it's not easy for forensic guys to find precise evidence that whether suspects copied data from local drives to external drives or not.
Sure it isn't easy.
I won't expect Operating system to take care of such issue. It is not its main task.
Yep, definitely it is not strictly an OS business.
jaclaz
Maybe monitoring employees' computer is illegal, but still lots of companies deploy Content filter equipment. As we know that there are lots of content filter SW/HW solutions. Usually when signing employment contract, employees will know that there is a monitoring mechanism. That means employees accept it in the first place, so it may be no legal issue under these circumstance.
Don't get me wrong. I'm not saying we we should use this monitoring mechanism. I just hope there is a way to get data leakage caught easier for forensic guys.
Don't get me wrong. I'm not saying we we should use this monitoring mechanism. I just hope there is a way to get data leakage caught easier for forensic guys.
Sure. )
Still you are IMHO mixing two completely different aspects, security vs. forensics, in a nutshell
security=measures taken BEFORE anything may happen, ex-ante
forensics=investigations made AFTER something has ALREADY happened, ex-post
The tool you suggested (or anything similar) is a "preventive" measure (BTW not really effective in the context of security) which may of course be useful for "later" investigations, but
that it represents not a "solution" (besides possible legal implications).
jaclaz
Of course it's a delimma. I want to ensure my own security, and on the other hand I want to make forensics easier.
It's like that my friends would ask me to recover data for them, but they are unwilling to be the one being examined by me.
If you ask my opinion about content filter, since there is no better way to get so called Copy Artifacts, I will say it's necessary to deploy content filter to control or monitor employee activities(including data leakage). Maybe it sounds like that I'm selfish, but I'm a good guy and I'm a forensic guy. I'm really tired to collect lots of indirect artifacts just to prove whether suspect did copy something very important to external drive or not.
If you ask my opinion about content filter, since there is no better way to get so called Copy Artifacts, I will say it's necessary to deploy content filter to control or monitor employee activities(including data leakage). Maybe it sounds like that I'm selfish, but I'm a good guy and I'm a forensic guy. I'm really tired to collect lots of indirect artifacts just to prove whether suspect did copy something very important to external drive or not.
And - again - the actual way is to disable ANY possibility to copy to external (local) drives by the user or to trigger a real-time alarm when this happens, your approach is a lot like (old Italian saying/proverb)
Chiudere la stalla dopo che i buoi sono scappati.
which has an English correspondent with
Closing the stable door after the horse has bolted.
jaclaz